The Sandworm hacking group is a cyberespionage group that has been active since 2009 or earlier and is believed to operate from Russia. In recent years the group has been notorious for its high-profile attacks on Ukrainian and European targets, particularly those in the energy industry. The group is also known for using sophisticated malware, such as the BlackEnergy attack framework and an exploit called EternalBlue.
More recently, in September 2019, France reported that it had linked Sandworm to a multiyear hacking spree targeting French government agencies, telecommunications providers, and defence companies with implications reaching beyond Europe’s shores.
What is the Sandworm Hacking Group?
Recently, France’s government-backed cybersecurity agency, ANSSI, tied a Russia-linked hacking group known as Sandworm to a multiyear hacking spree. Sandworm is a cybercrime group suspected of having Russian origins and being involved in various malicious cyber activities.
In this article, we will take a look at who they are and what they do:
Origin of the name
The group most likely chose the name “Sandworm” about the novel “Dune” and its gigantic sandworms that swallow entire people and machines. Given the group’s massive scale and efficiency when mounting cyberattacks, it is apt.
The origin of this group remains a mystery, but evidence suggests they are linked to Russia and have been active since at least 2013. The UK’s National Cyber Security Centre (NCSC) has attributed Sandworm’s activities to a GRU unit known as APT 28 (also known as Fancy Bear and Strontium), which has a history of cyber operations against politically-motivated targets dating back to at least 2007.
In 2019, researchers from security firm CrowdStrike further uncovered ties between Sandworm and elements of the Russian intelligence apparatus with links to France, including two entities that French authorities have allegedly identified as sources of Sandworm’s activity: Digital Security Ltd. (owned by Moscow-based Evrika LLC) and Vistula Ltd., both affiliated with the Russian government.
These revelations put Sandworm in context with other state actors, revealing them to be a multiyear hacking spree powered by highly sophisticated capabilities rooted in Russia. This campaign demonstrates both sophistication and audacity.
The implications of these findings are only beginning to become apparent, but they have already forced us to take a closer look into the geopolitics underlying global cyber aggression.
History of the group
Sandworm is a hacking group associated with Russia’s GRU military intelligence unit. The US Department of Justice and the US National Security Agency have attributed the group’s malicious cyber activity to Russia since at least 2014. Sandworm has been active in network intrusions and data theft operations worldwide since at least 2013, attacking governments, nuclear energy operators, engineering companies, and media outlets across Europe and the United States.
The origins of Sandworm are largely unknown; however, some believe that it began as an extension of Operation “Moscow” in 2009 or 2010. A group allegedly ran that operation within GRU known as “Unit 74455,” which targeted NATO members in the Ukraine and Baltic countries around that time.
In 2018, researchers discovered that the group was behind a hacktivist campaign called “NotPetya,” which destroyed critical infrastructure across Ukraine, Europe, and North America; stole corporate secrets; shut down networks; caused billions of dollars in damage; and disrupted global supply chains. It also exposed how effective Sandworm had become— able to infiltrate sensitive networks within minutes easily—and how far-reaching their ambitions were without geopolitical boundaries.
Additional information came out when France indicted four people for their alleged part in 2016 attacks on the French TV5Monde broadcasting network by Sandworm’s hacking ground known as APT 28 or Fancy Bear (which has ties back to Russia). This exposed more about the alleged activities of the hacking group, which include attacks on political parties abroad (notably attempts to interfere in American elections) and attacks on private business interests across Europe for financial gain.
Sandworm’s Targets
Sandworm is a Russian hacking group that has been active since 2012, with ties to the Russian government. The group has been known to target organizations worldwide for years, focusing on France.
In this section, we will explore the organizations that have been targeted by Sandworm, including the motives behind their attacks:
Geopolitical targets
The Sandworm hacking group, an elite Russia-based collective of cyber criminals whose primary objective has been to target the geopolitical interests of its enemies and allies, first came to public attention in 2014. They have been highly active since then, launching multiple sustained attacks against targets across Europe and the United States.
A 2018 analysis conducted by American security firm Mandiant determined that Sandworm was responsible for a widespread cyber espionage campaign targeting government entities, aerospace and military organizations, energy companies, scientific research centers, telecommunications companies, and media organizations across different countries, including Ukraine, Poland, Austria, and Germany.
More recently, in 2020, France’s National Cybersecurity Agency (ANSSI) traced a series of malicious web injections targeting French entities back to Sandworm. These targeted attacks were believed to be part of a multiyear cyber-espionage campaign for political purposes which included an array of targets such as:
- Transportation networks
- Diplomatic missions
- Energy grids
- Control systems for nuclear power plants
- Fabricated news websites with false content designed to spread propaganda or discredit certain individuals or organizations
- Government ministries
- Computer systems connected with email servers
- Foreign parliaments
- Military telecommunications networks
- Defense contractors
- Factories manufacturing weapons and other strategic products
- Financial institutions offering sensitive services such as international payments or credit card processing
This ongoing campaign has been conducted on behalf of Russian interests as part of a broader strategy aimed at gaining power over European nations.
Corporate targets
The Sandworm hacking group has been linked to some corporate targets in France, Europe, and elsewhere. Between 2015 and 2019, Sandworm allegedly targeted aerospace, engineering, telecommunications, and automotive corporations. The group has also been tied to fraudulent attacks on European banks.
In France, Sandworm reportedly launched numerous phishing campaigns targeting the country’s largest defense contractor Airbus Group SE. The cyberattacks relied mainly on using malicious emails containing phishing links to compromise employee credentials and gain access to the company’s internal network. The attackers may have sought intellectual property related to aircraft prototypes or designs for satellite launches. Additionally, reports suggest that hackers were able to steal source codes belonging to the top French aeronautic corporation Thales Group.
Furthermore, the group allegedly targeted large electronics companies such as Panasonic Avionics and speakers manufacturer Sonos Inc., as well as IT companies including Siemens AG and Altran Technologies SESOFT ECUIG-LTD in Turkey. In financial services, victims include Ukraine’s central bank (NBU), Polish Bank Millennium SA, and even making a false bomb threat at Californian banking firm JP Morgan Chase & Co…
It is important for companies with any type of connection to Russia or Ukraine – such as trading with them or having offices in those countries – to be aware of potential cyber threats from this advanced persistent threat due mainly in part due to its ties with Moscow’s GRU intelligence agency.
Sandworm’s Tactics
The Sandworm hacking group has been linked to a years-long cyber espionage and cyber-attacks campaign. The group is believed to be based in Russia and is associated with the Russian government. By targeting government and business entities in France, Ukraine, and the United States, Sandworm has demonstrated its capacity for sophisticated operations and the extent of its global reach.
Let’s take a closer look at the tactics Sandworm has employed in its operations:
Exploiting software vulnerabilities
The Sandworm hacking group is a Russian-government-linked threat actor active since 2009. According to cybersecurity reports, this nation-state-backed hacker group is notable for its persistent and sophisticated cyberattacks against critical infrastructure.
The Sandworm hackers are believed to be behind the infamous BlackEnergy campaigns, NotPetya ransomware attacks, and, most recently, the supply chain compromise of SolarWinds Orion software. Researchers attribute their widespread success to these threat actors’ ability to identify freelance software vulnerabilities that the public has yet to discover or patch.
In addition to remotely exploiting system weaknesses, Sandworm uses malware for penetration, allowing them access to sensitive data on networks worldwide. This includes espionage activities and disruption with ransomware or destructive attacks such as NotPetya in June 2017.
Sandworm’s tactics include:
- Exploiting local administrator privileges when accessing networks
- Using lateral movements within compromised systems using various toolsets
Researchers believe they tie Russia’s Sandworm hacking group to a multiyear hacking spree costing untold amounts of damage and highlighted by targeted attacks against NATO, government agencies in Ukraine, energy companies in Germany and France, several other countries like Georgia and Poland, as well as vulnerable companies in a range of different industries.
Utilizing spear phishing
Spear phishing is a form of deception by which a malicious threat actor attempts to deceive a target into clicking on a malicious link or attachment or disclosing confidential information. In the case of Sandworm, they have been harnessed to execute cyber-attacks against multiple countries and industries, largely propagating their mission through spear phishing attacks.
The group primarily used malicious email attachments as spear phishing tactics. Such extensions were often sent from trusted IP addresses in Ukraine and other fake ones registered in various countries. Reportedly, these email attachments are usually posed as job offers or referral letters with malicious documents containing macros designed to download and install malware onto the system. Additionally, links were sent via malicious emails pointing users to web pages that presented victims with fake login pages designed to steal user credentials when entered into them.
Moreover, reports revealed that Sandworm also deployed spear phishing emails that impersonated employees of national security institutions and agencies to infiltrate networks belonging to sensitive targets all over the world – particularly those in Russia and France – with a focus on capturing private data belonging to these organisations.
Using malicious tools
Sandworms typically leverage malicious tools, like spyware and trojans, to carry out malicious activity on a target machine. These powerful and versatile tools can infiltrate systems and grant attackers remote access. Additionally, malware can collect various types of data from the victim machine; in some cases, it can be used to manipulate settings or applications on a target computer to ensure control over the system.
Some common techniques that sandworms employ in their attacks include:
- Phishing emails containing malicious links or attachments
- Using brute-force attacks to gain access
- Exploiting known vulnerabilities (such as outdated software)
- Deploying denial-of-service attacks (DDoS) against networks
- Using DHCP exploitation to gain access
Malicious actors may also combine multiple attack approaches in what is commonly referred to as “hybrid” attacks, such as combining a phishing email with a brute-force attack.
Using malicious tools gives an attacker greater control over the target computer and increases their capability for cruel execution on a larger scale.
Establishing remote desktop protocol (RDP) connections is another technique that grants a total attacker control over a targeted network; it is also one of the most preferred methods for furthering campaign objectives.
Sandworm’s Links to Russia
The Sandworm hacking group has been linked to Russia for years. Over the past few years, several cyber-attacks have been attributed to the group, including the massive NotPetya malware attack in 2017.
Recent research by the French government has further strengthened the ties between Sandworm and Russia, providing evidence that the group has been behind a multiyear hacking spree. Let’s dive into the details to find out more.
France Ties Russia’s Sandworm to a Multiyear Hacking Spree
The Sandworm hacking team is believed to be a Russian-speaking cybercrime group associated with some of the highest-profile data breaches of recent years, including the 2017 NotPetya outbreak that disrupted multinational companies across Europe and North America.
Recent research has provided further evidence of direct links between Sandworm and Russia – from team members advertising their services in Russian online forums to signs that the group has been infiltrating targets in France as early as 2013.
A recent investigation by a confidential source conducted on behalf of France’s National Cybersecurity Agency (ANSSI) found that most Sandworm attacks have been launched from servers in the same network range used by a major Russian Group called Crouching Yeti. The investigation additionally notes that domains used to host control panels for the distribution and propagation of malicious code were registered using email addresses belonging to Crouching Yeti.
Furthermore, similarities between code and commands used in both Crouching Yeti operations and other malware activities observed around 2015 indicate an increased level of sophistication behind Sandworm’s attack tools, which could point towards a strong government-driven cyber warfare program.
Coupled with additional evidence from earlier investigations conducted by researchers from ESET security firm (after tracing samples collected during previous infections), all signals point towards Russia’s federal security service – better known as “FSB” – as being behind the infamous hacker group.
Recent activities attributed to Sandworm
Recent activities attributed to the Sandworm group include a series of cyberattacks known as NotPetya and Olympic Destroyer that disrupted thousands of computers worldwide. NotPetya, believed to be launched in June 2017, disabled critical systems in Ukraine before spreading across Europe and worldwide. Olympic Destroyer targeted digital strategies at the 2018 Winter Olympics in Pyeongchang, South Korea.
In July 2020, France’s cybersecurity agency (ANSSI) investigated a 2019 cyberattack targeting a major computer network for the French public administration dubbed “Tegile” by FireEye (the cybersecurity firm hired by victims) after confirming its origin was attributed to Sandworm.
Sandworm has also been connected with several other cyber-espionage campaigns actively using remote access tools (RATs), including Modified Carberp, Shamoon 2/Disttrack, Ethernet, and HyperBro malware families. In addition, the hacking group is believed to be affiliated with and funded by the Russian government through its so-called Advanced Persistent Threat 28 (also known as “Fancy Bear”), whose criminal activities have reportedly cost up to $600 million in damages and affected hundreds of companies worldwide.
tags = hackers known as sandworm, responsible for everything from blackouts in ukraine, russialinked sandworm french itcimpanuzdnet, sandworm french centreon itcimpanuzdnet, france sandworm french centreon itcimpanuzdnet, france russialinked sandworm centreon itcimpanuzdnet, russialinked sandworm french centreon itcimpanuzdnet, france sandworm french itcimpanuzdnet, france russialinked sandworm french centreon itcimpanuzdnet, russialinked sandworm itcimpanuzdnet, sandworm centreon itcimpanuzdnet, sandworm french itcimpanuzdnet, france sandworm itcimpanuzdnet, french security agency warns hackers, stealthily hacked targets, exploiting an IT monitoring tool called Centreon